UefiPayloadPkg: Add Secure Boot support

Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Maurice Ma <maurice.ma@intel.com> Cc: Benjamin You <benjamin.you@intel.com> Signed-off-by: Sean Rhodes <sean@starlabs.systems> Change-Id: I4f44e29bc967b7d2208193e21aeeef8b96afcc69
2022-01-03 15:56:05 +00:00
parent 35dde2452d
commit 2dc1e51593
14 changed files with 674 additions and 12 deletions
--- a/UefiVariableBinary/UefiVariableBinary.dsc
+++ b/UefiVariableBinary/UefiVariableBinary.dsc
@@ -0,0 +1,20 @@
+## @file
+# Secure Boot Variable File
+#
+# Builds a firmware volume to contain Secure Boot keys
+#
+# Copyright (c) 2021, Star Labs Online Limited. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+  PLATFORM_NAME                  = SecureBoot
+  PLATFORM_GUID                  = 1035eeff-543e-4abb-ac7e-bcd68cb530f8
+  PLATFORM_VERSION               = 0.1
+  OUTPUT_DIRECTORY               = Build/UefiVariableBinary
+  SUPPORTED_ARCHITECTURES        = IA32|X64
+  BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT
+  SKUID_IDENTIFIER               = DEFAULT
+  FLASH_DEFINITION               = UefiVariableBinary/UefiVariableBinary.fdf
+
+
--- a/UefiVariableBinary/UefiVariableBinary.fdf
+++ b/UefiVariableBinary/UefiVariableBinary.fdf
@@ -0,0 +1,31 @@
+## @file
+# FDF include file which allows to embed Secure Boot keys
+#
+#  Copyright (c) 2021, Star Labs Online Limited. All rights reserved.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+[Defines]
+DEFINE FD_SIZE     = 0x00850000
+DEFINE NUM_BLOCKS  = 0x850
+
+[FV.SecureBoot]
+FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+  SECTION RAW = UefiVariableBinary/keys/pk.crt
+  SECTION UI  = "PK Default"
+}
+
+FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+  SECTION RAW = UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
+  SECTION UI  = "KEK Default"
+}
+
+FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+  SECTION RAW = UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
+  SECTION UI  = "DB Default"
+}
+
+FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+  SECTION RAW = UefiVariableBinary/keys/dbxupdate_x64.bin
+  SECTION UI  = "DBX Default"
+}
--- a/UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
+++ b/UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
--- a/UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
+++ b/UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
--- a/UefiVariableBinary/keys/README
+++ b/UefiVariableBinary/keys/README
@@ -0,0 +1,8 @@
+# PK certificate generation
+
+* Do not save private key for re-usage.
+* Generate a RSA 2048 / SHA256 x509 certificate
+* Exponent should be 65537
+* Microsoft certificates can be found here: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
+
+openssl req -outform DER -newkey rsa:2048 -keyout /dev/null -passout file:<(head -c 40 /dev/urandom) -x509 -days 365 -out pk.crt
--- a/UefiVariableBinary/keys/dbxupdate_x64.bin
+++ b/UefiVariableBinary/keys/dbxupdate_x64.bin
--- a/UefiVariableBinary/keys/pk.crt
+++ b/UefiVariableBinary/keys/pk.crt